critical2026-03-10SAP NetWeaverCVE-2026-27685

Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

SAP NetWeaver Enterprise Portal Administration

Our Take

Insecure deserialization with an RCE outcome on the portal server is serious. Note that this requires privileged access to exploit — it is not an unauthenticated attack. That said, if you have multiple portal admins or shared admin credentials, the blast radius is significant. If you run NetWeaver Enterprise Portal, this is a same-window patch.

Vulnerability Detail

Privileged users can upload malicious serialized objects through the Enterprise Portal Administration interface. When the server deserializes these objects, arbitrary code executes in the context of the portal server process, compromising confidentiality, integrity, and availability of the system.

Workaround

Restrict access to Enterprise Portal Administration to only trusted administrator accounts. Monitor upload activity in portal admin interfaces.

Patch Action

Apply SAP Note 3714585.

Affected Versions

EP-RUNTIME 7.50

Patch Info

Timing

🔴 Patch immediately

CVSS Score

9.1

SAP Note

3714585 ↗

CVE

CVE-2026-27685

Published

2026-03-10

Timing recommendations are editorial. Verify against official SAP Security Notes before acting on production systems.

← All patches